Implementing the human right to science in the regulatory governance of artificial intelligence in healthcare

Abstract Artificial intelligence (AI) enables a medical device to optimize its performance through machine learning (ML), including the ability to learn from past experiences. In healthcare, ML is currently applied within controlled settings in devices to diagnose conditions like diabetic retinopathy without clinician input, for instance. In order to allow AI-based medical devices (AIMDs) to adapt actively to its data environment through ML, the current risk-based regulatory approaches are inadequate in facilitating this technological progression. Recent and innovative regulatory changes introduced to regulate AIMDs as a software, or ‘software as a medical device’ (SaMD), and the adoption of a total device/product-specific lifecycle approach (rather than one that is point-in-time) reflect a shift away from the strictly risk-based approach to one that is more collaborative and participatory in nature, and anticipatory in character. These features are better explained by a rights-based approach and consistent with the human right to science (HRS). With reference to the recent explication of the normative content of HRS by the Committee on Economic, Social and Cultural Rights of the United Nations, this paper explains why a rights-based approach that is centred on HRS could be a more effective response to the regulatory challenges posed by AIMDs. The paper also considers how such a rights-based approach could be implemented in the form of a regulatory network that draws on a ‘common fund of knowledges’ to formulate anticipatory responses to adaptive AIMDs. In essence, the HRS provides both the mandate and the obligation for states to ensure that regulatory governance of high connectivity AIMDs become increasingly collaborative and participatory in approach and pluralistic in substance.


I. INTRODUCTION
In April 2018, the Food and Drug Administration (FDA) in the USA authorized IDx-DR (recently renamed as LumeneticsCore) 1 to be marketed as the first Artificial Intelligence (AI) diagnostic system that does not require clinician interpretation to detect greater than a mild level of diabetic retinopathy in adults diagnosed with diabetes. 2In essence, this fully autonomous prescription software device incorporates an adaptive algorithm to evaluate images of the eye taken with a retinal camera that are uploaded to a cloud server. 3A screening decision is made by the device as to whether the individual concerned is detected with 'more than mild diabetic retinopathy'.If so, this individual is referred to an eye care professional for medical attention.From a regulatory standpoint, software intended for use by healthcare professionals and patients in the USA must comply with basic regulatory requirements, including medical device listing and labeling, premarket notification (unless exempted) or premarket approval (PMA), investigational device exemption for clinical studies, and quality system regulation.In Europe, IDx-DR has secured a Class IIa CE mark (further discussed below) for the autonomous detection of referable diabetic retinopathy. 4Similar AI-based medical devices (AIMDs) for the remote diagnosis of diabetic retinopathy developed by Shenzhen Guiji and Shanghai Yingtong have received regulatory approval from the National Medical Products Administration (NMPA), 5 which is responsible for regulating medical devices (whether standalone AIMDs or otherwise) in China. 6ike conventional medical devices, 7 the regulation of AIMDs is risk-based, contextspecific, and case-sensitive.Unlike the former however, the risk profiles of technically sophisticated AIMDs can significantly deviate from the versions that secured regulatory approval since some of these devices have the capability of adapting to new conditions through 'unsupervised' learning, and thereby present concerns over patient safety and effectiveness.Recognizing that the conventional point-in-time regulatory approach is not well suited for AIMDs that undergo fast-paced cycles of iterative modifications, regulators from major AIMD jurisdictions have, working singly and collaboratively through the International Medical Device Regulators Forum (IMDRF), identified regulatory principles and mechanisms that facilitate risk categorization and management, but these endeavors are still ongoing. 8The FDA has, for instance, presented a proposed regulatory framework for certain types of anticipated software modifications and associated methodology used to implement the changes in a discussion paper. 9This proposed framework was developed based on FDA's existing risk management principles, benefit-risk framework, and organization-based total product lifecycle approach, as well as the IMDRF's risk categorization principles, and forms the basis of an action plan for AI or machine learning (ML) software as a medical device following extensive feedback received from its stakeholders. 10This regulatory framework proposed by the FDA will be further discussed below.For now, it suffices to say that the emerging form of regulatory governance for AIMDs is decentralized, collaborative, and pre-emptive. 11his paper examines how the human right to science (HRS) may be applied to explain a shift from the point-in-time regulation of non-AI medical devices to the total device/product lifecycle regulation of AIMDs like IDx-DR.Additionally, it explores how HRS could help steer regulatory evolution toward the establishment of a regulatory approach that is participatory and, in terms of its epistemic (knowledge) features, pluralistic and anticipatory.This approach in turn helps to sustain and stabilize a sociotechnical imagination of a desirable future that is 'animated by 4 • Implementing HRS in regulatory governance of AIMDs shared understandings of forms of social life and social order attainable through, and supportive of, advances in science and technology' and consistent with a rights-based approach in general. 12ooking beyond the narrow construct of risks that has been foundational to the regulation of non-AI medical devices, 13 this paper argues that HRS could serve as a cultural prism that magnifies specific contexts of rationalization.By making explicit the social conditions, moral commitments, political movements, institutional arrangements, and technical means that underscore the regulatory governance of non-AI medical device, I explain why a rights-based approach is not only necessary for its focus on participation and collaboration, 14 but is further consistent with the wider initiative of developing learning healthcare systems. 15After all, the language of 'risks' offers but one (albeit crucial) avenue to consider metaphors (like 'technical', 'ethical', and 'legal') which serve to frame fundamental conceptions of 'regulatory space' and 'governance', as well as how they are being put together.The high connectivity of AIMDs and their capacity to adapt to their digital environment in order to optimize performance underscore the need to re-configure our understanding of contexts and meanings.Active regulatory participation cannot be limited to the pilot or feasibility stages of medical device trials.If continuous risk-monitoring is required to support the use of AIMDs in a learning healthcare system, more robust, responsive, and participatory regulatory mechanisms are needed, not less. 16There is of course a danger that the total device/product lifecycle regulatory approach could give rise to intrusive political constraints and excessive bureaucratic controls on scientific activities.Here too, the HRS provides instructive guidance in that enjoyment of the benefits of science is in many ways contingent on existence of effective protection of the freedom that is indispensable for scientific research and creative activity, as well as the moral and material interests resulting from any scientific production.Additionally, overly intrusive regulatory intervention will not be consistent with the obligation that states have under the HRS to advance science and to protect and disseminate scientific knowledge and its applications.With a growing number of AIMDs being developed and introduced into clinical care, conventional thinking of medical device regulation that is rooted in the binary of risk assessment and risk management (or otherwise framed in terms of safety and effectiveness) is no longer sustainable.AIMDs provide the opportunity to re-conceptualize the nature and goals of medical devices regulation by drawing reference to HRS, particularly in its participatory or governance sense, 17 as well as to other human rights that may be linked to it.
While the focus of this paper will be mainly on the regulatory approach of the FDA and its implementation of the principles of the IMDRF, references will be made to regulatory developments in China and in the European Union (EU) for the purpose of illustration rather than comparison.This may be useful to reveal ingrained normative commitments that distinguish political communities, particularly in their ways of knowing and reasoning. 18Additionally, the term 'regulation' in this paper is applied broadly as comprising any instrument (legal or non-legal in character) that is designed to channel group behavior. 19Regulatory governance rather than simply regulation is used to highlight the increasingly 'decentered' nature of intentional attempts to manage risk that are undertaken not only by state actors, but also by non-state actors, including commercial firms and civil society organizations.Where technological innovation is concerned, concerns about 'risks' and the need to tame them have been central to regulatory governance. 20Here, regulatory response is taken to reduce the uncertainty and instability of risk conception and mitigation measures, by directing or influencing actors' behavior to accord with socially accepted norms and/or to promote desirable social outcomes. 21here are five main sections to this paper.In Section II that follows, I first explain the normative content of HRS and the core obligations that it imposes on regulators.One such obligation is for regulators to prevent or mitigate risks that arise from technological development and use.I then examine how risk-based approaches have been implemented in major AIMD jurisdictions like the USA, the EU, and China to prevent or mitigate risks that arise from the use of medical devices in Section III.However, these risk-based approaches are unlikely to be effective for AIMDs with ML capability for the reasons that I set out in Section IV.Apart from technological developments that limit regulatory effectiveness, risk-based approaches do not adequately account for the right of every person to participate in and to enjoy the benefits of scientific and technological progress.Recent changes introduced to regulate AIMDs as 'software as medical device', along with the introduction of associated regulatory mechanisms, seek to address some of the limitations.In Section V, I explain that while these developments attempt to improve regulatory effectiveness through means that enhance participation and collaboration, they do not go far enough.I then put forward, in Section VI, how a rights-based approach that is centered on HRS could be a more effective response to the regulatory challenges posed by AIMDs.

II. HUMAN RIGHT TO SCIENCE
The HRS is set out as the key source of specific rights and freedoms to which all humans are entitled in relation to scientific progress and its applications under Article 27 of the Universal Declaration of Human Rights (UDHR), 22 and Article 15 of the International Covenant on Economic, Social and Cultural Rights (ICESCR). 23In 1985, the Committee on Economic, Social and Cultural Rights of the United Nations (UNCESCR) was established to implement the ICESCR.Since then, the UNCESCR has continuously clarified the nature of the economic, social, and cultural rights (ESCR) and their justiciability in terms of the principles, standards, and procedural rules that apply.For the purposes of this paper, the UNCESCR's articulation of the core (or minimum) content of HRS and the core (or minimum) obligations of states in this connection is most pertinent. 24As it explains, the following features must be present in order for HRS to enable everyone to (i) enjoy the benefits of scientific progress and it application; (ii) participate in science as part of cultural (or creative) life (hence inclusive of 'citizen science'); (iii) benefit from the protection of the moral and material interests resulting from any scientific, literary, or artistic production for the inventor or author; (iv) enjoy freedom indispensable for scientific research and creative activity; and (v) take steps for the conservation, development, and diffusion of science.
Where emerging medical technologies are concerned, scholars explain that HRS has at least three essential rights in implementation: first, the right of everyone to benefit from and contribute to scientific and technological progress (or HRS in the public interest sense); second, the right of scientists, for instance, to do research and push forward science and technology (or HRS in a technical sense); and third, countries' duty to provide an enabling environment (or HRS in a governance sense). 25The 'benefits' to which HRS relates is not limited to the material results of scientific research (eg an AIMD) or to the scientific knowledge and information derived from the research, but also to the role of science in forming critical and responsible citizens who are able to participate fully in a democratic society. 26This paper focuses on the core content and obligations of HRS in its governance sense, or what has been described as the 'right for people to have a legislative and policy framework adopted and implemented which aims at making the benefits of scientific progress available and accessibleboth through encouraging new scientific discoveries and through removing barriers for existing scientific knowledge to be used for public benefit'. 27In this connection, the UNCESCR indicates that states have to implement, as a matter of priority, core obligations that include 28 (a) developing a participatory national framework law on HRS (with specification of legal remedies in case of violations) and implementing a participatory national strategy or action plan for the realization of HRS; (b) ensuring access to those applications of scientific progress that are critical to the enjoyment of the right to health and other ESCR; (c) ensuring that (in allocation of public resources) priority is given to research in areas where there is the greatest need for scientific progress in health and the well-being of the population, especially with regards to vulnerable and marginalized groups; (d) ensuing that health professionals are properly trained in using and applying modern technologies resulting from scientific progress; and (e) fostering the development of international contacts and cooperation in the scientific field.While every reasonable effort must be made to implement the core obligations of HRS using the maximum of its available resources (individually and through international assistance and cooperation), the UNCESCR reminds all states that they are also to take into account the totality of the rights enshrined in the ICESCR. 29The right to participate in and to enjoy the benefits of scientific progress in the HRS may constitute an essential tool for the realization of other ESCR. 30he UNCESCR's discussion of the link between HRS and the right to health is especially instructive for its illustration of a rights-based approach to the governance of medical products. 31 available applications of scientific progress necessary to enjoy the highest attainable standard of health. 32It follows that medical devices that are safe and effective should be prioritized in national health plans in order to make the best use of available resources for the fulfillment of ESCRs.There is also an obligation for states to promote scientific research, to create new medical applications and make them accessible and affordable to everyone, especially the most vulnerable. 33Where some scientific research carries health-related risks, states are required to present or mitigate these risks through careful application of the precautionary principle and the protection of participants in scientific research.More specifically, states should make every effort to ensure that 'medical treatments . . .are evidence-based, and that the risks involved have been properly evaluated and communicated in a clear and transparent manner, so that patients can provide properly informed consent.' 34 In the next section, I will show that this aspect of a rights-based approach applies to non-AI medical devices that are currently in use.

III. RISK-BASED REGULATION
In jurisdictions like the USA, the EU, and China, an essentially risk-based approach is applied to regulate medical devices.By this approach, the risk profile of these devices are regarded as quantifiable and static, in the sense that their functions are stable and their outcomes are relatively clear and predictable for the indicated uses.
In the USA, the Federal Food Drug & Cosmetics Act (FD&C Act) defines the term 'device' as 35 an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is . . ..(2) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals; or (3) intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes.
This definition is broadly similar to a definition developed by the Global Harmonization Task Force, 36 and adopted by the World Health Organization. 37For regulatory purposes, medical devices are classified based on their intended use and indications for use, degree of invasiveness, duration of use, and the risks and potential harms associated with their use.At the classification stage, a manufacturer is not expected to have gathered sufficient data to demonstrate that its proposed product meets the applicable marketing authorization standard (eg data demonstrating effectiveness).Implementing HRS in regulatory governance of AIMDs • 9

III.A. United States
It follows that the focus of FDA's classification analysis is on how the product is expected to achieve its primary intended purposes. 38Approximately 1700 different generic types of devices have been classified by the FDA and grouped into 16 medical specialties referred to as panels. 39Each of these generic types of devices is assigned to one of three regulatory classes based on the level of control necessary to assure the safety and effectiveness of the device. 40Unless exempted,41 the class to which the device is assigned determines, among other things, the type of premarketing submission or application required for FDA clearance to market (a) the 510(k) pre-market notification or clearance; (b) de novo classification; or (c) PMA.
All classes of devices are subject to General Controls, 42 which are the baseline requirements of the FD&C Act that applies to all medical devices.Special Controls are regulatory requirements for Class II devices, these being devices for which General Controls alone are insufficient to provide reasonable assurance of the safety and effectiveness of the device, and for which there is sufficient information to establish Special Controls to provide such an assurance. 43Special Controls are usually device-specific and include performance standards, post-market surveillance, patient registries, special labeling requirements, premarket data requirements, and operational guidelines.Class III devices are those intended to be used in supporting or sustaining human life or preventing impairment of human health; or that may present a potentially unreasonable risk of illness or injury for which General Controls and Special Controls are insufficient to provide reasonable assurance of the safety and effectiveness of a device; or for which there is insufficient information to make such a determination. 44These devices are subject to General Controls and will require PMA.Table 1  the three classes of devices, their risk classification and associated level of regulatory control, and an indication of whether clinical trials are required for market approval.

III.B. China and the EU
In China, there are many similarities in the regulatory goals and approaches between the NMPA and the FDA, since both authorities are tasked to ensure that medical devices are safe and effective for individual users and for the general public, as the case may be. 45A risk-based approach is also applied by the NMPA in the classification of medical devices: Class I devices are of low risk in that their safety and effectiveness can be ensured through routine administration; Class II devices are of moderate risk and require certain controls to ensure safety and effectiveness; and Class III devices are of high risk.For a medical device in Class II or Class III, the manufacturer will need to provide evidence that its device is safe and effective for the intended uses. 46uch evidence may be in the form of laboratory testing or limited clinical trials, or documents showing that the device has been approved in its country of origin (eg ISO 13485 certification, FDA approval or 'CE' mark in Europe). 47The European regulatory regime applies a slightly different risk-based formulation to regulate medical Implementing HRS in regulatory governance of AIMDs • 11 devices. 48This regime was previously encapsulated in three directives of the European Commission relating to implantable devices, 49 in vitro diagnostic devices, 50 and most other medical devices. 51An amendment was made in 2018 to include software into the definition of 'medical device' as any instrument or tool intended by the manufacturer to be used for human beings for purposes that include diagnosis, prevention, monitoring, treatment, or alleviation of disease. 52Changes to the regulatory framework in the EU have recently come into effect, with the Regulation on Medical Devices (MDR; effective from 26 May 2021) and the In Vitro Diagnostic Devices Regulation (IVDR; effective from 26 May 2022) replacing the three aforementioned Directives. 53he classification schemes in the EU and in China broadly reflect the classification rules established by the IMDRF, 54 and are essentially risk-based.Under the MDR in the EU, a medical device may be classified into one of four categories, 55 based on the intended purposes or uses and their inherent risks. 56A Class I medical device is low risk and do not require independent review.57Every (low-risk) device marketed in the EU must bear a Conformité Européenne (CE) mark.While the CE mark simply indicates that a device conforms to regulatory requirements, it is often confused as representing quality. 58Medical devices that are non-implantable and considered low risk are 'self-marked', in that the manufacturer certifies compliance on its own.Medical devices of moderate and high risks may be assigned to Class IIa, IIb, or III, and will require evidence of safety and efficacy. 59High-risk devices must be reviewed by an independent certification body (called a Notified Body), which is a private company approved by authorities of the EU member states to issue CE certification for a fee.However, certain general requirements apply to all medical devices in the EU regardless of their class categorization, which include meeting the general safety and performance requirements (eg information to be supplied by the manufacturers under Annex I of the MDR), complying with reporting requirements under the medical device vigilance system, and being CE marked (except custom-made devices and devices intended for clinical investigation as other requirements apply).
Recent regulatory changes in China and in the EU (all effective from 2021 onwards) widen the range of products that are regulated, strengthen requirements for clinical data and traceability of the devices, introduce more rigorous monitoring of certification bodies, and improve transparency by requiring more product information to be placed in the public domain. 60Although it has been observed that the definition of 'medical device' may be broader in the EU,61 the determination of device qualification is mainly centered around intended use across all three jurisdictions.In establishing intended use, regulators may consider labeling, advertising claims, and other statements, although it has been suggested that the EU regulations allow for greater scrutiny of subjective intent, in addition to intended uses specified in submission documents. 62

IV. PARTIAL JUSTIFICATION OF RISK-BASED APPROACH IN HRS
As considered above, a classification scheme based on the risks that a medical device presents by its intended purposes (or use) and its inherent risks is the bedrock of medical device regulation in jurisdictions like China, the EU, and the USA, and endorsed by the IMDRF at a global level.Seen through the lens of the HRS, this risk-based approach satisfies all three of its components in enabling patients in particular to benefit from and (through participation in clinical trials) contribute to scientific and technological progress, in allowing researchers and device developers to push the technology forward, and in grounding an enabling environment.However, the story does not end here.This risk-based approach has been and is likely to remain applicable to non-AI medical devices and many AIMDs that have a fixed risk profile, in that their intended purposes (or uses) and inherent risks will not significantly alter over the course of their product lives.Where an AIMD is allowed to adapt to its data environment in order to optimize its performance in real-time through machine (or deep) learning, such a risk classification scheme begins to unravel.

IV.A. Risk Objectification in Pathways to Market Approval
While risk objectification by 'force-fitting' an AIMD into a conventional medical device category has been effective in paving a way forward to market approval for IDx-DR, its ML capability was 'locked' and hence not accounted for.The clinical study that supports the approval was conducted under highly controlled conditions where a relatively small group of carefully selected patients have been recruited to test a diagnostic system along narrow usage criteria at primary care clinics until it was autodidactic. 63ence FDA approval has only been based on IDx-DR functioning like a standard non-AI medical device since the autodidactic functionality has been locked, which in turn rendered the variability of the range of outputs manageable. 64At that stage, IDx-DR was not capable of evaluating the most severe forms of diabetic retinopathy that requires urgent ophthalmic intervention.
The version of IDx-DR that was approved by the FDA in 2018 has several components: (1) Fundus camera attached to a computer to take fundus images of a user's eyes; (2) IDx-DR Client software installed in the computer for users to identify fundus images per eye; (3) IDx-Service software installed on a server hosted at a secure data center to receive fundus images from users; and (4) IDx-DR Analysis, which runs inside IDx-Service and processes the fundus images and returns information on the presence or absence of more-than-mild diabetic retinopathy to IDx-DR Client via IDx-Service. 65Collectively, IDx-DR is categorized as a medical device, and was reviewed under the FDA's de novo premarket review pathway.It was granted Breakthrough Device designation as a medical device that is novel and of low-to-moderate risk. 66his PMA pathway was introduced by the US Congress in 1997 for new categories of devices that are not of high risk if they meet two criteria: (1) the new device presents low-to-moderate risk and is likely to meet the statutory standards for classification into Class I or Class II; and (2) the risks and benefits of the new device are sufficiently understood, such that all risks can be effectively mitigated through the application of statutorily prescribed controls. 67nlike IDx-DR, most Class II medical devices in the USA undergo the 510(k) submission process, which requires a substantial equivalence (SE) analysis based on a device previously cleared by the FDA, also referred to as the predicate device. 68The device under 510(k) review and its predicate device must have the same intended use and technological characteristics.In the absence of a predicate device, the medical device under review will automatically be classified as Class III and will require a PMA submission.The de novo review pathway was created to allow earlier access to novel medical devices that lack an SE predicate device, as it is not as rigorous as the PMA pathway.Although largely similar to the 510(k) submission process, clinical trials data are usually not required for de novo submissions, but the manufacturer must prove that the risks presented by the device is moderate.In contrast, a manufacturer making a 510(k) submission must show that the risk presented by the device is no greater than its SE device.Given the complexity of a de novo submission, the submission fee is substantially higher than a 510(k) submission.Following regulatory approval of the de novo submission of a novel medical device, a new low-risk (Class I) or moderaterisk (Class II) classification for this device type is created. 69Future devices within this device type can be cleared through the 510(k) pathway using the novel device (eg IDx-DR) as a 'predicate', usually without the need for clinical evidence to be generated.It is important to recognize that the 510(k) pathway is not foolproof, and 'fresh' safety concerns may arise with the recall of the predicate for which the novel medical device was cleared.For instance, a recent study reports that devices were six times more likely to be recalled than similar devices if approved based on comparison with a device that had previously undergone a Class I recall. 70he risk profile of IDx-DR was determined based on the results of a prospective clinical trial that obtained retinal fundus photographs and Ocular Coherence Tomography from 900 diabetic patients who were not diagnosed with diabetic retinopathy.Trial results show that IDx-DR was able to achieve sufficient performance when compared with the highest quality reference standard as determined by the Fundus Photography Reading Center, and met predetermined sensitivity and specificity standards for autonomous detection of more-than-mild diabetic retinopathy or diabetic macular edema in people with diabetes and no history of diabetic retinopathy in primary care settings.Approval was granted on the basis that probable benefits of IDx-DR outweighed the probable risks, since early detection of diabetic retinopathy enables early treatment that is needed to prevent significant loss of vision.FDA also notes that the high accuracy of IDx-DR makes the potential risk of false negative low.Even if a false negative should arise, the risk of harm with delayed diagnosis is mitigated by the healthcare provider's recommendation for follow-up screenings, and that the Implementing HRS in regulatory governance of AIMDs • 15 disease itself progresses slowly.A false positive can also arise but no significant risk is introduced for the patient since examination by an eye care professional occurs regularly. 71t the initial stages at least, the regulatory approach that applied to IDx-DR was essentially based on a relatively static conception of risk that enables the continuing application of an essentially point-in-time regulatory scrutiny. 72By this approach, regulatory attention and effort are invested mainly in the stages prior to approval being granted, with the expectation that ongoing scrutiny will be relatively less onerous.

IV.B. Limits of Risk Objectification and 'Objective' Control
The regulatory construction of IDx-DR as a 'risk object' is accomplished by linking the causal attributes of economic and social risks (especially risks to human safety and agency) to its constitutive algorithms reified as a medical device. 73In other words, this 'risk object' is made epistemically 'real' when embedded in a risk discourse.From the 1970s onwards, a shift in policy in the USA and in Western Europe away from absolute safety in regulatory efforts led to a focus on risk analysis for the determination of risk significance, 74 as fresh uncertainties were introduced into what was considered to be settled science (or 'trans-science', where uncertainties gained prominence and importance). 75Risk analysis itself is regarded as comprising at least two distinct parts: risk assessment (where scientific knowledge is relied upon to provide insights on the extent and nature of safety risk), and risk management (where determinations are made as to how risk is to be handled in practice).The origins of the risk assessmentrisk management distinction were intended to keep the already well-established basis of risk assessment apart from practice-based (and often values-laden) risk management.As a policy concern, the conceptual insulation of the more science-based part of risk analysis as risk assessment is considered to be advantageous as it 'should be protected from pressures to shift the assessment of risk because the results are politically inconvenient'. 76his risk assessment-risk management distinction was formally endorsed by US federal agencies in a report on risk management (called the 'Red Book') of the National Research Council (NRC). 77Primarily focused on risk to health presented by toxic substances such as asbestos, risk assessment was taken to be concerned with the characterization of the potential adverse health effects of human exposures to environmental hazards.A recommendation in the Red Book was for uniform inference guidelines to be developed to ensure that risk assessments are consistently applied by federal agencies and protected from inappropriate policy influences.In other words, scientific integrity was secured by ensuring that specific economic and social considerations did not have undue influence, even though the risk assessment process was not confined to exclusively scientific considerations.This essentially technical approach to risk assessment broadly reflects popular understanding of risk as a calculative reasoning, or a 'formal rationality' that enables the efficient ordering and resolution of problems through technical rules and procedures in structures of economy, society, and state. 78y this ordering, risk becomes an instrument of control by directing conduct based on classificatory schemes (risk categorization of medical devices being an example on point) that are aimed at particular goals (of safety and effectiveness levels, for instance).
However, IDx-DR is capable of ML, which is a subset of AI and refers to a set of methods that has the ability to detect patterns in data automatically in order to predict future data trends or for decision-making under uncertain conditions. 79Beyond image analysis, AI-based non-image analytical tools may profoundly impact medical practice in a number of ways, including their potential to improve workflow through precision scheduling, identifying patients who are likely to miss appointments, and producing individually customized examination protocols. 80In the foreseeable future, the ML feature of medical devices will test the limits of conventional means of regulating AIMDs.The challenges to the binary of risk assessment and risk management will be amplified as such medical devices can rapidly deviate from their intended uses and become less predictable, 81 and challenge the conventional distinction that is drawn between the research and clinical contexts. 82As Preeti Mehrotra and others explain, 83 the current regulatory approval process is too binary to address the complexities that arise from the interaction between AIMDs and downstream uses that may in turn be governed by fragmented and uncoordinated entities that include hospital policymakers, medical associations, and other stakeholders.The gap between the safety and efficacy profile of an AIMD may be exacerbated by its less tangible form (discreetness), embodiment of more diverse components (discreteness), greater dispersion across geographical and jurisdictional spaces (diffuseness), and variable degrees of explainability.84

IV.C. Falling Short of the HRS
It was in anticipation of these challenges that a new category of 'risk objects' known as 'software as medical device' (or SaMD) was developed by the IMDRF to govern AIMDs like IDx-DR.If regulators have been insistent that AIMDs should be no different from conventional medical devices in terms of their risk profiles and functional predictability in order to be granted market access approval, the existing risk categorization approach discussed above would have sufficed.However, such a position would have been contrary to the goals of HRS, at least in terms of its three main components considered above.First, patients will not have the opportunity to benefit from, as well as contribute to, the capability of AIMDs to optimize its performance through deeper connectivity with their digital environments in ways that could improve effectiveness and personalize healthcare delivery.Second, scientists will not be able to push forward AI science and technology as the development of AIMDs cannot be limited to experimental trials that are conducted only under strictly controlled conditions.Third, regulators would have failed to provide an enabling regulatory environment that could appropriately balance public interests in facilitating the development of AIMDs, as well as access to AIMDs that are considered safe enough for implementation.
In the section that follows, I consider how the emerging regulatory approach that is centered on SaMD has a broader and more open-ended conception of 'risks', and thereby better reflects the goals of HRS.The regulatory character has become more open in terms of the range of possible outcomes that may be accommodated, participatory in relation to the relationship between the regulator and AIMD developers and/or manufacturers, and anticipatory in its response to foreseeable risks.For instance, the FDA provides intensive guidance to developers/manufacturers for efficient device development by collaboratively considering means to expedite evidence generation on more effective treatment or diagnosis of a life-threatening or irreversibly debilitating disease or condition that does not have any approved or cleared alternatives.Following this, I focus on the anticipatory feature of this regulatory approach, which in turn draws on different knowledge domains to constitute and manage AIMDs as a 'risk object'.Regulatory control is not construed solely in terms of whether the regulated entity behaves strictly in adherence to specific commands, but rather in rendering a degree of predictability to its actions.Crucially, a rights-based approach better accounts for the increasing recognition that risks associated with the actual use of AIMDs cannot be adequately addressed by a set of technical practices, but will require the participation of stakeholders beyond the regulator and developers/manufacturers.

V. 'SOFTWARE AS A MEDICAL DEVICE' AS A NEW REGULATED ENTITY
The IMDRF categorizes AIMDs like IDx-DR as SaMD, which it defines as 'software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.' 85 In a succession of guidance documents, IMDRF recognizes the complex clinical use environment that SaMD may be applied within and can raise or lower the potential to create situations hazardous to patients.Conditions that contribute to the complexity ranges from those that relate to the patient (eg disease progression), those arising from clinical care (eg clinical model applied to derive the output information and the level of clinical evidence available), and those that arise from the operation of the device (eg technological characteristics of the platform the software is intended to operate on), among others.Adopting an essentially consequentialist approach that is focused on intended use of SaMD to achieve particular clinical outcomes, risk characterization is abstracted to two factors: 86 (1) significance of the information provided by the SaMD to the healthcare decision; and (2) state of the healthcare situation or condition.Important considerations that do not influence the determination of the risk category of the SaMD (eg transparency of the inputs used, technological characteristics used by the SaMD, and more upstream considerations) are not included in this risk categorization framework.It bears repetition and emphasis that by this approach, risk characterization is derived mainly from 'objective' information that is provided by the manufacturer on intended use of the SaMD in clinical care.Such use may be significant in one of three ways: (i) to treat or to diagnose; (ii) to drive clinical management; or (iii) to inform clinical management.The significance of an intended use is then associated with a healthcare situation or condition, which may be one of three states: (1) critical situation or condition; (2) serious situation or condition; and (3) non-serious situation or condition.Schematically, Table 2 presents the risk characterization framework comprising four different levels of risk based on the degree of impact on the health of patients or target populations. 87As IMDRF also explains, every SaMD will have its own risk category according to its definition statement, even when it is interfaced with other SaMD, other hardware medical devices, or used as a module in a larger system. 88Risk categorization thereby relies on 'accurate and complete' SaMD definition statement from the manufacturer in the determination of the risk category by associating the significance of the information provided by the SaMD with the healthcare decision and the healthcare situation or condition. 89These categories are in relative significance to each other, with the highest category being applicable to SaMD used across multiple healthcare situations or conditions.This definition of SaMD has been adopted by all major AIMD jurisdictions, along with characteristics that delineate an SaMD and the regulatory implications that follow.In the USA, the FDA has set out an assessment rubric to help manufacturers  determine if a device is an SaMD or not. 90Similarly, the NMPA in China specified eight special requirements that must be met in addition to those specified as good manufacturing practice for medical devices in general in order for a device to qualify as SaMD. 91These requirements include specifications pertaining to design development, quality management, and adverse event monitoring and analysis, and are based on the regulatory principles of the IMDRF and the international standard IEC 62304 (on software), 92 which the USA and the EU have harmonized their standards with.In the EU, I have earlier on indicated that the MDR adopts a wider definition of medical device to include software and a new classification scheme for software has come into operation. 93Innovative regulatory changes accompanied the introduction of SaMD as a new regulated entity, of which I focus on three that are most pertinent to this paper.

V.A. Responsiveness to Change over Total Product Lifecycle
The regulatory principles proposed by the IMDRF, which have been endorsed by the FDA and similar regulatory authorities in the EU and in China, continue to apply a

20
• Implementing HRS in regulatory governance of AIMDs binary scheme of risk assessment and risk management.However, the divide between this binary is blurring, particularly in view of the fact that the regulatory approach that is put forward emphasizes total product/device lifecycle.This better accounts for modifications that will be made to the device through real-world learning and adaptation.Such adaptation through ML enables a device to change its behavior over time based on new data and optimize its performance in real-time with the goal of improving health outcomes.Importantly, manufacturers are expected to have an appropriate level of control to manage changes during the lifecycle of the SaMD.IMDRF labels any modifications made throughout the lifecycle of the SaMD, including its maintenance phase, as 'SaMD Changes'. 94Software maintenance is in turn defined in terms of four types of postmarketing modifications that could occur in the software lifecycle processes identified by the International Organization for Standardization, 95 namely, 96 (i) adaptive maintenance (modification performed to keep the software product usable in a changed or changing environment); (ii) perfective maintenance (modification to detect and correct latent faults in the software product before they are manifested as failures); (iii) corrective maintenance (reactive modification of a software product performed after delivery to correct discovered problems); and (iv) preventive maintenance (modification of a software product after delivery to detect and correct latent faults in the software product before they become operational faults).When a manufacturer makes changes to SaMD that results in the change of the definition statement, the categorization of SaMD will need to be re-evaluated.As the IMDRF explains, change is inevitable since failures that arise may be due to errors, ambiguities, oversights or misinterpretation of the specification that the software is intended to satisfy, problems in writing code, inadequate testing, incorrect or unexpected usage of the software, or other unforeseen problems.For a software change management process to ensure that the modified SaMD remains safe and of acceptable quality and performance, it will need to include considerations relating to the following: 97 As indicated above, FDA produced an action plan to develop and apply innovative approaches to the regulation of medical device software and other digital health technologies. 98A proposed premarket review mechanism seeks to introduce a Predetermined Change Control Plan (PCCP) in the premarket submission, in order to give effect to the risk categorization and risk management principles, as well as the total product lifecycle approach, of the IMDRF. 99The plan will need to include an indication of what anticipated modifications a manufacturer intends to make through learning (or SaMD pre-specifications, or 'SPS'), and associated methodology that is used to implement the changes in a controlled manner while allowing risks to patients to be managed (referred to as Algorithm Change Protocol).In essence, the proposed changes will place on manufacturers a greater responsibility of monitoring the realworld performance of their medical devices and to make available the performance data through periodic updates on what changes were made as part of the approved SPS and the Algorithm Change Protocol.In totality, these proposed changes will enable the FDA to evaluate and monitor, collaboratively with manufacturers, an ML software as medical device from its premarket development to post-market performance.The nature of the FDA's regulatory oversight will also become more iterative and responsive in assessing the impact of device optimization on patient safety.In October 2021, a joint statement was issued by the FDA, Health Canada, and the UK's Medicines and Healthcare products Regulatory Agency on 10 guiding principles for Good Machine Learning Practice (GMLP).These principles include the recommendation of leveraging on multidisciplinary expertise throughout the total product life cycle of an AIMD. 100 As earlier considered, the regulation of AIMDs as SaMD represents an important regulatory innovation in response to a regulated product that is constantly changing.However, as Kerstin Vokinger and her colleagues explain, 101 this strategy incorporates significant evidence of safety and effectiveness prior to market entry, preapprove updates and changes that require only minimal regulatory oversight, and a high level of transparency to empower patients and healthcare providers.However, it also renders understanding the performance of post-approval AIMDs and their availability to (as well as impact on) users more challenging. 102In the next section, I consider how imple-menting the HRS could help address these challenges in the regulatory governance of AIMDs.

V.B. Traceability in Strengthened Post-Market Surveillance
It is generally recognized that testing of software is not sufficient to ensure safety in its operation.Safety features need to be built into the software at the design and development stages, and supported by quality management and post-marketing surveillance after the SaMD has been installed.Post-market surveillance include monitoring, measurement, and analysis of quality data through logging and tracking of complaints, clearing technical issues, determining problem causes and actions to address, identify, collect, analyze, and report on critical quality characteristics of products developed.However, monitoring software quality alone does not guarantee that the objectives for a process are being achieved. 103As a quality management system (QMS) requirement, the IMDRF states that maintenance activities should preserve the integrity of the SaMD without introducing new safety, effectiveness, performance, and security hazards.It recommends that risk assessment, including considerations in relation to patient safety and clinical environment and technology and systems environment, should be performed to determine if the changes affect the SaMD categorization and the core functionality of SaMD as set out in its definition statement. 104Principles that underscore a QMS are set out as (1) an organizational support structure to provide leadership, accountability, and governance with adequate resources to assure the safety, effectiveness, and performance of the device; 105 (2) lifecycle support processes that are scalable for the size of the organization and applied consistently across all realization and use processes (ie requirements management, design, development, verification and validation, deployment, maintenance, and decommissioning of the product); 106 and (3) a set of realization and use processes that are scalable for the type of device and the size of the organization that take into account important elements required for assuring safety, effectiveness, and performance. 107These principles are largely reflected in the more collaborative relationship between regulators and the developers and/or manufacturers of AIMDs, but do not currently extend to patients and healthcare providers, as users.
In order to advance ML and to account for a wider range of actual uses that AIMDs could be applied toward, regulatory governance will need to be more participatory in actively and meaningfully involving patients, healthcare providers, and other users or operators.The development of a tracking system for high-risk devices, which is based on the principles set out by the IMDRF on the establishment of a 'Unique Device Identification' (UDI), points us in this direction. 108Such a system of identification requires these devices to bear a unique identifier in human and machine-readable form in order to improve monitoring and tracking of these devices from the point of their manufacture to their use and eventual decommissioning.In its action plan of January 2021, the FDA acknowledged the need to support a patient-centered approach in initiatives like labeling of medical devices to promote transparency to AIMD users, to support regulatory science efforts to develop methods for evaluating and improving AIMDs, and to advance real-world performance pilots. 109 In the EU, a UDI system has been introduced pursuant to Article 27 of the MDR, and Article 24 of the IVDR. 110In China, a UDI system has similar been introduced pursuant to Article 38 of Order 739 and is piloted in a number of cities and provinces. 111

V.C. Increased Transparency
Apart from initiatives like the UDI systems, regulators in these major AIMD jurisdictions also seek to enhance transparency by ensuring greater availability of information to patients, as well as in the public domain.In the EU, an implant card and information about an implantable device must be supplied to the patient in accordance with Article 18 of the MDR. 112As a wider initiative, a comprehensive EU database (EUDAMED) on medical devices and certain post-marketing events (such as modifications or withdrawal of products) has been introduced.However, the EUDAMED database is currently only accessible by national competent authorities although a new version of the platform is being developed to serve multiple purposes that include product registration, collaborative arrangements with manufacturers, notification provision, and public dissemination of information. 113n a review of the current state of the art in AIMDs, Eric Topol highlights the need for rigorous studies, publication of the results in peer-reviewed journals, and clinical validation in a real-world environment before these devices may be scaled up on implementation and impact on patient care. 114Even with the innovative regulatory developments considered above, a number of challenges remain. 115These include lack of clarity over the evidential threshold that is needed to meet clinical (for medical devices) or performance (for in vitro devices) evaluation, extent of data that are required for verification and validation, degree to which ML needs to fit with risk management elements of harmonized standards set out by the International Organization of Standards, the need for ML to be human interpretable, and the appropriate level of responsiveness to dynamic changes from ML.To meet these challenges, there will be growing reliance on the participation of patients, healthcare providers, and caregivers in real-world conditions as existing AIMDs apply ML capabilities, even as a greater number of diverse AIMDs are introduced into clinical and ambulatory care.The erstwhile dominant risk-based discourse applied in the regulation of medical devices is silent on participation, beyond established dealings between regulatory agencies and manufacturers (and their representatives).A rights-based approach that is centered on the HRS can help to address this deficiency and thereby steer regulatory and technological innovation forward.

VI. PARTICIPATION IN REGULATION GOVERNANCE UNDER HRS
Conventionally, the responsibilities of risk assessment and risk management have been largely confined to regulators and device manufacturers or their representatives (known as marketing authorization holders in some jurisdictions).In the earlier sections, I have highlighted how the regulatory character and approach toward AIMDs have started to shift from being essentially technical in focus and point-in-time in regulatory intervention to being more collaborative, participatory, and anticipatory.In this respect, a participatory governance across society ( ) is an explicit regulatory principle in China. 116Not much is said about these emerging characteristics, apart from a commitment on the part of regulators to be more engaged and patient-centered.The HRS can help to steer future development in the regulatory governance of AIMDs and SaMDs, and in ways that could meaningfully involve other interested stakeholders, particularly patients with unmet medical needs.For instance, HRS scholars have explained how HRS makes clear state obligations to enable and promote access by children with HIV (a neglected population) to child-specific and child-friendly HIV treatment options through measures that include the adoption of legal and policy frameworks to support research and development that involves children, and in ensuring the participation of marginalized communities in decision-making processes. 117There is however no reason why participation should be limited to patients.As noted earlier, 'benefits' in HRS include the role of science in forming critical and responsible citizens who are able to participate fully in a democratic society. 118In this connection, HRS scholars have also proposed a framework, 119 as well as indicators, 120 as a means of evaluating policy and regulatory choices against the obligations derived from the HRS.In this section, I will look into how the HRS could help realize a form of collaboration and participation through regulatory networks that apply a common fund of knowledges.character, strengths, and limitations, they generally need to be enabled/supported through regulatory/policy-based platforms or interventions.In view of the greater connectivity of AIMDs, HRS imposes an obligation on states (as regulators) to devise means to enable, as well as sustain, meaningful participation and collaboration.For patients and healthcare providers, meaningful participation could mean access to AIMDs, perhaps even at the design stage, if such access presents the prospect of more independent functioning for patients, and the opportunity to 'participate in scientific life'. 121For regulators and AIMD developers and/or manufacturers, implementing HRS should increase community engagement and participation. 122ne modality that may be considered is that of a regulatory network, which adapts David Levi-Faur's definition of a 'network' as encompassing a set of relationships of a non-hierarchical and interdependent nature that link a variety of actors. 123The network is 'regulatory' in the participatory involvement of national regulatory agencies (eg FDA) and supranational entities (eg IMDRF, which could itself be construed as a regulatory network). 124The relationships within such a network may be stabilized by institutional and/or network specific arrangements, associations and mechanisms that are directed at achieving particular aims and objectives.From Annelise Riles's ethnographic research, we know that these goals need not necessarily be premised on a set of shared values, interests, or culture. 125In another study, the 'publics' of a particular regenerative medicine technology were found to have been co-produced through an institutionalized 'bioethics-as-public-policy' national platform. 126These 'publics'comprised of institutions and institutionally bound individuals-resemble a network in a number of ways.They were brought into a particular set of relationship within a deliberative space created in the main by consultation papers and reinforced through a variety of means that included public meetings, conferences, and feedback sessions.But these 'networks' are not static.They vary with, but also shape, the broader discourse of science and expectations as to how science ought to be valued  -9, 68 (2001).In her study of Fijian non-governmental organizations that participated in the 1995 United Nations Beijing Conference on Women, Annelise Riles observes that networkers they understood themselves to be sharing in their involvement in a certain network that was a form of institutionalized association devoted to information sharing.What defined networkers most of all was the fact that they were personally and institutionally connected or knowledgeable about the world of Pacific institutions and networks.It was the work of creating documents, organizing conferences, or producing funding proposals that generated a set of personal relations that drew people together and also created divisions of its own.126 Calvin Wai Loon Ho, Juridification in Bioethics (2016).
become known as a 'regulatory sandbox' is yet another modality of network-based participatory engagement. 127RS imposes an obligation on regulators to establish inclusive networks that enable wide participation in the development and governance of AIMDs.Given that the private sector has had a dominant presence in defining the technological agenda and trajectory, whether its Google's DeepMind in the USA or SenseTime in China, there is arguably a greater need for regulators to spearhead collaboration and participation of the wider public.While commercial interests are not in and of themselves problematic, narrow (or 'light-touch') regulatory focus and absence of broader and meaningful participation could be.Clearly, one should be careful to pay heed to the extent to which the agendas for risk assessment are determined mainly by sectorial interest groups that are not incentivized to pursue questions relating to who has the legitimate power to decide which risks should be prioritized and how issues of 'social benefit' and 'technological progress' should be defined.This in turn presents question of priority and transparency in the public domain, particularly the need to consider what has been left out, notably the 'social' and the quality of professional relationships.In this respect, Joshua Kroll reminds us that the 'black-box' or opacity concern associated with ML is an unhelpful distraction from thinking about how software systems are validated and how that validation is verified by end users or governance bodies.As he explains: 128 'Opacity in sociotechnical systems results from power dynamics between actors that exist independent of the technical tools in use.'

VI.B. Common Fund of Knowledges as Anticipatory Knowledge
I explained above that HRS requires public interventions like regulatory networks to enable the right of an interested person to participate in and to enjoy the benefits of scientific progress and its application.The HRS also has an instrumental value, as regulatory networks that give it expression could be an essential tool for the realization of other ESCR, of which the right to health is especially relevant to the present discussion. 129In order to be effective in linking the HRS and the right to health, regulatory networks must enable and sustain a culture of learning and experimentation that is, from an epistemic standpoint, pluralistic.In this sense, regulatory networks may be 'legal' in form (and to some degree, function), but its epistemic character could be conceptualized as 'common fund of knowledges'.Mariana Valverde and others illustrate how legal processes are inherent to (but not merely the means of) understanding the risk of a repeat sexual offence under 'Megan's Law', which encompasses the US community notification statutes relating to sexual offenders. 130Comprising three tiers, this risk assessment process determines the scope of community notification.In examining the constitutional basis of Megan's Law, they observe that 'the courts have empha-sized the scientific expertise that is said to be behind the registrant risk assessment scale (RRAS) in order to argue that Megan's Law is not a tool of punishment but rather an objective measure to regulate a social problem.' Reliance on Megan's Law as grounded in objective scientific knowledge has given rise to an 'intermediary knowledge in which legal actors -prosecutors and judges -are said not only to be more fair but even more reliable and accurate in determining a registrant's risk of re-offence.' 131 Instructively, the study illustrates how scientific knowledge may be pooled with other 'knowledges' of law and of social care as a 'common fund', without having to expand 'law' in a doctrinal sense.In this way, legal and regulatory processes may be cognitively and normatively open, in that the RRAS was part of judicial decision-making, but was not itself a legal process.It is in this sense that the epistemic character of regulatory networks should be pluralistic; in comprising a 'common fund of knowledges', and also in terms of epistemic commingling, as network actors must work across legal and extra-legal knowledge systems, different fields of law, 132 as well as governance systems. 133t is important to recognize that in giving expression to the HRS in this manner, an essentially static and technical conception of 'risks' gives way to one that is anticipatory and collaborative.A 'common fund of knowledges' constitutes 'risks' as a means of generating 'anticipatory knowledge', which may be understood as 'social mechanisms and institutional capacities involved in producing, disseminating, and using such forms [as] . . .forecasts, models, scenarios, foresight exercises, threat assessments, and narratives about possible technological and societal futures'. 134Like Ian Hacking's 'looping effect', 135 anticipatory knowledge is about knowledge-making about the future, and could operate as a means to gap-filling.Here, HRS requires that network actors are capacitated with the right to benefit from scientific knowledge and scientific modes of inquiry (eg based on a degree of disinterestedness and organized scepticism), not only as a basis of civic engagement or participation, but also in making decision or policy choices.Since the HRS is linked to and dependent on other human rights (and vice versa), a broader range of normative resources become available.Notably, the 'common fund of knowledges' that underscores anticipatory action in international humanitarian law may provide helpful guidance on how affected individuals and communities can be engaged in decision-making ahead of a serious concern or health crisis. 136While it is beyond the scope of this paper to discuss how principles and approaches in international humanitarian law could be applied to AIMDs, the points to emphasize here is that the HRS shows how different knowledge systems could be drawn together, often if not always through a mode of collaborative and/or participatory engagement, 137 in anticipatory knowledge creation and action.Applying a similar analysis, Graeme Laurie and others explain that foresighting as a means of devising anticipatory knowledge is neither simple opinion surveying nor mere public participation. 138It must instead be directed at the discovery of shared goals, the development of shared lexicons, the forging of a common vision of the future, and the taking of steps to realize the vision with the understanding that this is being done from a position of partial knowledge about the future.In the context of genomic medicine, Bartha Knoppers explains how networks like the Global Alliance for Genomics and Health similarly pools together a 'common fund of knowledges' through interconnectedness across different epistemic and practice domains in the development of an anticipatory governance that enables a learning health system. 139Arguably, this approach could better explain the regulatory trajectory for AIMDs (as envisaged by the IMDRF) in terms of the HRS described in the Venice Statement as being more open to beneficial access by, and contributions from, a diverse range of interested parties, and in a manner that promotes the conservation, development, and diffusion of science and technology in the public interest. 140hile regulatory networks and their epistemic character have instrumental value, HRS as an intrinsic value makes clear their normative commitments.As a rightsbased approach, regulatory networks must respect the indivisibility and universality of human rights, and the principle that every person is free and equal in dignity and rights.Participation is already a well-established principle in rights-based approaches, as are the related principles of accountability, non-discrimination and equality, empowerment, and legality, which regulatory networks should also give expression to. 141his is consistent with the normative substance of an AIMD regulatory system that scholars have expounded on, 142 and at a practical level, I have highlighted (in Section V) complementary changes in regulatory mindset and mechanisms, particularly in the shift from traditionally point-in-time to a more holistic total device-specific lifecycle approach.
Implementing HRS in regulatory governance of AIMDs • 29

VII. CONCLUSION
The regulatory governance of medical devices has conventionally been underpinned by an essentially risk-based discourse, evident in intricate risk classificatory schemes and regulatory mechanisms that operate on the binary of risk assessment and risk management (or safety and effectiveness more generally).For conventional medical devices, this risk-based approach has in turn established particular understandings of regulatory order, but largely confined to regulators and developers/manufacturers interacting at specific points in regulatory time.The key features of risk-based approaches in major medical device jurisdictions like the USA, the EU, and China are considered in Section III.The advent of AIMDs with ML capability, along with policy initiatives like learning healthcare systems, challenges the effectiveness and viability of risk-based approaches, as I explained in Section IV.The high connectivity of AIMDs and the ability to continuously monitor them through a UDI system present novel questions as to how risk objectification and localization should be conceptualized and visualized, among other challenges.Innovative regulatory responses introduced by constituting AIMDs as SaMDs, adopting a total device-specific lifecycle regulatory mindset and other measures considered in Section V, could help to stitch together regulatory lesions that have emerged.However, these measures are only sustainable if there are participatory and collaborative means by which regulators and developers/manufacturers can engage with a wider range of interested stakeholders (particularly AIMD users).In Section VI, I have proposed a rights-based approach that is centered on HRS for the regulatory governance of AIMDs.This approach could be in the form of a regulatory network that draws on a 'common fund of knowledges' to formulate anticipatory responses to adaptive AIMDs.To be sure, my proposal is not for the replacement or displacement of risk-based approaches.My point is that the recent measures introduced to sustain risk-based approaches are unlikely to be effective without incorporating rights-based elements or approaches.
In the light that patients and other users will become more involved in the development of AIMDs, through participation in real-world evidence generation programs for instance, safeguards to ensure fairness and equity, privacy and security, and trust are yet to be fully devised and implemented. 143HRS lends clarity to the substantive purposes and normative goals that could help advance the regulatory science and art that is applicable to AIMDs, and complements to the more processual focus of the IMDRF's principles and mechanisms.As I have explained in Section II, HRS imposes an obligation on regulators to 'adopt legislative, administrative, budgetary, and other measures and establish effective remedies aimed at the full enjoyment of the right to participate in and to enjoy the benefits of scientific progress and its applications.' 144here research is concerned, there are clear ethical and regulatory measures in place to protect people involved in research in most jurisdictions, including the USA, the EU, and China. 145The challenge, moving forward, is to devise regulatory approaches that capacitate any interested person to participate and collaborate in shaping sociotechnical imaginations around adaptive AIMDs.

For medical technologies in general, states have a duty to make available and accessible to all persons (and especially to the most vulnerable) all the best
Id., at paragraphs 67-76.While the UNCESCR's discussion mainly focuses on medical products like pharmaceutical drugs and vaccines, it is also applicable to medical devices.Those aspects of the discussion that relate to intellectual property is not considered as they fall outside the scope of this paper.

Table 1 .
provides an overview of Classification of Medical Devices by Risks in the USA, China, and the EU

Table 2 .
Risk Characterization Framework for Software as a Medical DeviceThe significance of an intended use is then associated with a healthcare situation or condition, which may be one of three states: (a) Critical situation or condition, where the type of disease or condition is (i) life-threatening, requires major therapeutic interventions or time critical; (ii) applies to a vulnerable population; and (iii) intended for specialized trained users; (b) Serious situation or condition, where the type of disease or condition is (i) moderate in progression (and often curable), does not require major therapeutic interventions, and is not time critical; (ii) applies to a target population the is not vulnerable; and (iii) may be used by specialized trained users or lay users; and (c) Non-serious situation or condition, where the type of disease or condition is (i) slow with predictable progression of disease state, can be managed effectively even if not curable, and requires only minor and normally non-invasive therapeutic interventions.Level IV (eg SaMD that performs diagnostic image analysis for making treatment decisions in patients with acute stroke, or screens for mutable pandemic outbreak that can be highly communicable through direct contact or other means) being of the highest impact, while Level I (eg SaMD that analyzes optical images to guide next diagnostic action of astigmatism) being the lowest.
supra note 53, Article 2(1) and Section 6.3 of Chapter III of Annex VIII (Rule 11).Broadly speaking, software that monitors physiological processes is classified as class IIa, and a high-risk classification applies if the information that the software provides is used to take decisions that could lead to serious deterioration of a person's state of health or a surgical intervention (the device would then be in the class IIb category), or could cause death or an irreversible deterioration of a person's state of health (in which case, the device would be in the class III category).
. Arguably, what has 121 Bidault, supra note 17. 122 See for instance: V. J. Bradley, Implications of the Right to Science for People with Disabilities, in The Right to Science: Then and Now 150-165 (Porsdam and Porsdam Mann, eds., 2021).With reference to the Convention on the Rights of People with Disabilities, Bradley explains that the HRS holds the promise of the ability for disable people to live independently, re-examine the construct of disability and increase participation in the community.